Breathless news stories about a Gmail data breach began to appear online after media outlets misinterpreted a report about Gmail passwords stolen by infostealers.
Urgent headlines like “Urgent alert issued to anyone who uses Gmail after 183 million passwords leaked” created some panic among Google account holders, necessitating a response from Google and a security researcher who had posted the infostealer logs that started the panic.
“Reports of a “Gmail security breach impacting millions of users” are false,” Google said in a post on X. “Gmail’s defenses are strong, and users remain protected.
“The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web,” Google added. “It’s not reflective of a new attack aimed at any one person, tool, or platform.”
The researcher, Troy Hunt of HaveIBeenPwned, said in his own X post that “This story has suddenly gained *way* more traction in recent hours, and something I thought was obvious needs clarifying: this *is not* a Gmail leak, it simply has the credentials of victims infected with malware, and Gmail is the dominant email provider.”
Gmail Data Breach Stories Appeared After Infostealer Data Published
The news stories began to appear after HaveIBeenPwned published an infostealer data set containing 183 million unique email addresses, the websites they were entered into, and the passwords used. Hunt wrote about the data set in a separate blog post, and stories misunderstanding the nature of infostealer malware took over from there.
Gmail may have been the most common email address type in the data set, but hardly the only one, as Hunt noted: “There is every imaginable type of email address in this corpus: Outlook, Yahoo, corporate, government, military and yes, Gmail. This is typical of a corpus of data like this and there is nothing Google specific about it.”
Leaks of all manner of account credentials appear in infostealer databases, and Gmail’s wide usage simply makes it one of the more common email credentials stolen by the malware.
Credentials involving Gmail addresses appear in Cyble’s “Leaked Credentials” threat intelligence database more than 6 billion times, but many may be duplicates because stolen credentials frequently appear on more than one dark web marketplace or forum.
Protecting Your Gmail Account
Google said that Gmail users “can protect themselves from credential theft by turning on 2-step verification and adopting passkeys as a stronger and safer alternative to passwords, and resetting passwords when they are found in large batches like this.
“Gmail takes action when we spot large batches of open credentials, helping users reset passwords and resecure accounts,” the company added.
Using complex, unique passwords and resetting them often is another email security step to take.
As Hunt noted, “The primary risk is for people who continue to use those credentials on *any* websites, and the mitigation is a password manager and 2FA.”
